VPN Setup for Routers - Getting it to work with an IPSec Client

Technical Summary: This article will show how to setup a Broadband Router that has IPSec
VPN capabilities for secure remote access to your home network from anywhere on the Internet.
Detailed configuration will be shown for multiple brands of routers. The VPN IPSec client will be
SSH-Sentinel since it is free for non-commercial use.
How many times have you been at a friend’s house or at work and said 'Gosh, I wish I could get
at that file on my hard drive at home'. With a broadband Internet connection and a shiny new
'VPN Router', you can connect to your home network over the Internet from anywhere on the
planet SECURELY. This article will show you how.
Our goal will be to establish an IPSec VPN connection from somewhere on the Internet to your
home network. In addition, the remote computer will be able to mount network file shares (and
printers too!) located on the home network.

Possible Uses
You can connect to your home hard drive:
• From work
• From a friends house
• From your laptop while on the road
You could also allow your friends and relatives access to your network over the internet. That
makes file sharing especially!
Equipment Needed
1 Solid Broadband Connection to your home
(Preferably with a static IP address)
1 VPN Broadband Router (about $150-$300)
1 Copy of SSH-Sentinel (free for non-commercial use!)
Most of the consumer level VPN routers operate just about the same way because they all
licensed the same IPSec code. The only differences are the number of simultaneous 'VPN
Tunnels' they support and how many different 'VPN Profiles' they support at once. They also have
the same performance levels - 500kbps to 700kbps max IPSec throughput.
A 'VPN Tunnel' is simply an IPSec VPN connection in this case. Each remote computer
connecting to your home network is one VPN Tunnel.
A 'VPN Profile' is a set of parameters that define how your router will connect to other VPN end
points. Some routers support multiple profiles making it easy to use for connecting to your work
Intranet 'and' using it to dial into from the road.
Configuration Overview
In this example, we will be working with two computers and a VPN Router. Throughout the screen
shots and the rest of the article, I will refer to the following IP address. Please write them down or
print them for reference, it will help you understand the rest of the article.
Home WAN IP: 24.60.60.100 (from your ISP)
Home LAN Router IP: 192.168.100.1
Home LAN IP Network: 192.168.100.0: Subnet 255.255.255.0
Computer on Home LAN: 192.168.100.2
Remote (friends) computer on the Internet: 24.60.60.200
Notes about IP Your Configuration
It is wise to change the IP Schema of your home network from the default your router configures.
This will aid you in connecting multiple networks together - especially two VPN routers of the
same brand. Often the IP Schema is 192.168.1.0/255.255.255.0. All you need to do is change the
second from the last number (octet) to something higher than 2 and less than 255. In this
example, I made my LAN 192.160.100.0/255.255.255.0. This step is not totally necessary but it
could save you some routing headaches later.

It is also wise to convert your computers over to STATIC IP address instead of dynamic IP
address. If your computers have dynamic IP address, you will not know what the IP address is of
the computer you want to connect to from the road. One day it might be .2 the next day it might
be .5. Again this is not necessary, but it will save you headaches later.

Static IP Schema Example Example

LAN Computer 1
IP Address: 192.168.100.51
subnet: 255.255.255.0
Gateway: 192.168.100.1 (router address)
DNS: 192,168.100.1 (router address again)
LAN Computer 2
IP Address: 192.168.100.52
subnet: 255.255.255.0
Gateway: 192.168.100.1 (router address)
DNS: 192,168.100.1 (router address again)
etc...

VPN Router Tutorial - Getting it to work with an IPSec Client

Part 4: Routing Traffic across the VPN

We are ALOMST finished with the
configutation process. The last thing we need
to do is tell the client computer to route the
correct traffic through the VPN Connection.
IP Schema Review
Home WAN IP: 24.60.60.100 (from your ISP)
Home LAN Router IP: 192.168.100.1
Home LAN IP Network: 192.168.100.0:
Subnet 255.255.255.0
Computer on Home LAN: 192.168.100.2
Remote (friends) computer on the Internet:
24.60.60.200
Lets Get To it
Version 1.3 users will need to activate the
VPN connection by right clicking the SSH Sentinel taskbar icon, sleecting Select VPN and then
selecting the VPN connection you created. 1.3 users will get an error message if the connection
fails.
Version 1.2 users will activate the VPN network with a PING once we set up the routing.
Routing
From a command prompt (dos shell) type (with a home LAN computer IP address)
PING 192.168.100.2
You should see 'Desitination unreachable' message
This is because the REMOTE computer does not know how to get to the private network:
192.168.100.0. Type ROUTE PRINT to see the current routing table.
To add the home network to the routing table type in the following
route add 192.168.100.0 mask 255.255.255.0 24.60.60.100
The first number is the home lan network IP schema, the second is the network mask, and the
third number is the Internet WAN IP address of the VPN router. This route will go away after the
computer is rebooted and will need to be typed in again.
Under Windows 2000 and XP, a parameter can be added that will make the route permanent.
route -p add 192.168.100.0 mask 255.255.255.0 24.60.60.100
I suggest putting this command in a BATCH file so it is easly accessible.

Testing the connection

From a command prompt (dos shell) type (with a home LAN computer IP address)
PING 192.168.100.2
For version 1.2 users, it mght take a couple of tries to get this command to work. When this
PING is first run, the VPN connection is established. This can take up to 60 seconds or so.
If you get a response, your VPN works!!!
Mounting a network Drive across the VPN
Our next set is to mount a shared network drive across the VPN. From the remote computer's file
explorer, select "mount network drive' from the menu.

Next type in the home LAN computer address and the name of the share this way. In this case,
the computer I want to reach is at 192.168.10.2 and the share name I set up was 'c'
Your VPN is now running!

VPN Router Tutorial - Getting it to work with an IPSec Client

Part 2a: Linksys BEFVP41 VPN Router Config

From the VPN Screen of your Linksys BEFVP41 router, configure a VPN tunnel as shown in the
picture below. You can name this tunnel anything you want - the name will not appear anywhere
else - it is unimportant.
Be sure to set the Local Secure Group to the LAN network as show. This will give the IPSec
tunnel access to all of your LAN computers.
The Pre-Shared key is VERY important. This key is the 'password' for your whole network. It will
be given to anyone that needs VPN connectivity. A single word from the dictionary should never
be used since hackers use dictionaries to break in. The key should be at least 8 characters long.
The key shown (1234) is a VERY BAD key. I am using it only for diagnostics.
Down by the View Log button, there is a 'more' link. Press it and make sure it looks like the
picture below.

Your router is now ready to receive incoming VPN Connections! The picture below shows a
Linksys LOG of a successful incoming VPN connection. Please note: you will not be able to see a
log like this till you try connecting.
 VPN Router Tutorial - Getting it to work with an IPSec Client

Part 3a: IPSec Client Config: SSH Sentinel v1.2

Click here if you are using v1.3

IPSec Client Software

SSH Sentinel is my IPSec client of choice - primarily because it is free for non-commercial use.
This beats the heck out of paying $150 per license for some of the other clients out there. SSH
Sentinel however is not the most intuitive client on the market. Come to think of it, all IPSec client
software programs are a little hard to set up for beginners.
Version 1.2 or 1.3?
When this tutorial was written, SSH Sentinel 1.3 was in BETA. I had a few problems with it
retaining its settings so this tutorial was written with version 1.2. If you have version 1.3, click here
for v1.3 instructions .
Click here to download SSH Sentinel
Where does it go?
SSH Sentinel should be loaded on the REMOTE computers - the computers on the Internet that
you want to have access to your LAN. SSH Sentinel is a free download for non-commercial use
and can be found here.
The Install
When you see the following screen, select 'administrator email' and type in your email address

Next, select 'self-signed certificate'

Key Configuration
Once installed, you will need to enter the 'POLICY EDITOR'. It can be reached from the start
menu or by right clicking the blue SSH Sentinel icon in your task bar.
From the SSH Sentinel Policy Editor, Select the Key Management tab and add a new key.

Select create a preshared key when you see 'Mr. Buff'

Create a name for the key and type in the exact key you typed into your router. Again, this key
should be at least 8 characters long and should not be a single word from a dictionary

You have now created a shared key. Now to create the VPN Connection.
VPN Tunnel Config
Now, from the Security Policy screen, add a new VPN Connecion. Note: The picture below
shows one that was already added. You should only have the add button. The folder layout will
look a little different in v 1.2 but that's ok.

Type in the VPN Routers WAN address. You will need to click the 'IP' button to the right if you
are typing a static IP address. Next, select the shared authentication key you just created and
check the 'use legacy proposal' button. Last, type in the IP schema of the LAN network that is
BEHIND the VPN router. and click OK.

These are the PROPERTIES of the new VPN connection we created. Be sure yours looks like
this.
Select the ADVANCED tab and make it look like this. BE SURE TO SELECT THE 'Use Perfect
Forward Security' checkbox or it will not work! If the remote client computer is behind some kind
of NAT based router or firewall, check the 'Enable NAT Traversal' checkbox too.
Congrats! You have confiigured the SSH Sentinel software. Now we must do a little ROUTING
to get everything working.

VPN Router Tutorial - Getting it to work with an IPSec Client

Part 5: Troubleshooting Client Connectivity Problems

The Logs
Your number 1 buddy in diagnosing VPN connectivity problems is 'IKE LOG WINDOW' found by
right clicking the SSH Sentinel and selecting the 'aduiting' menu. Be sure to set the log detal
level to 'low'. Try to connect, then look at the last couple of lines of data. It will give you a hint
about the problem.
Many VPN Routers have logs also that can be checked too.
DOUBLE CHECK ALL SETTINGS
I found that somehow or another my settings sometimes mysteriously changed in my client
setup. Double check them ALL.
Time and Time Zones
It is very important that your computer and VPN router have the correct time zone settings and
time. Without these, keys expiration is not handled correctly.
My remote client is behind a router or firewall
Not all firewalls or even broadband routers will pass IP traffic. Others require the client computer
to be in a DMZ. First look at the technical specs for the router and make sure it specifies 'IPSec
Passthrough'. If not, try placing the client computer in the DMZ. Also, try upgrading the firmware
of your router. If neither of these work then it might be time for a new router in the client end.
My home broabdand connection uses a dynamic IP address and I dont know what it is.
You should use a DynamicDNS service to keep track of your curent IP address. Try DNS2GO

I want to link up two LAN's instead of going computer to lan

This requires a VPN capable broadband router on both sides and will be covered by another
tutorial later.

The remote computer is on a LAN that has the same IP schema as my lan.
You will need to change the IP schema of one of the LAN's. Do something like change it from
192.168.1.0/255.255.255.0 to 192.168.33.0/255.255.255.0

Linux as a broadband router

Linux has a very powerful IP stack built into the
operating system. Linux itself has the capability of
routing your lan to the internet with NAT or Network
Address Transaltion (explain NAT). In the Linux world
this is often called IP Masquerading. Here is a HowTo
at LinuxDoc
My favorite way to use Linux as a router is with a micro-
distribution. There are versions of Linux out there that
run off of a single floppy disk. Using one of these
distributions, you can convert an old, unused computer
(even a 486!) into a capable broadband router. Since
the software fits on a floppy, you don’t even need a
hard drive in the system! Most of the micro-distributions
of Linux routers have minimum requirements of a 386
with 16Mb of memory.
My favorite linux router is called Cyote Linux. Cyote Linux has a very cool installation
and configuration method. Cyote Linux starts with a Windows program. Run it, and
you can actually configure the router in Windows. Next, a program creates a
bootable floppy disk that has your fully configured Linux broadband router!
Update: HomeNetHelp now has an in depth article about setting up an OpenBSD
box as a great firewall / router combination. OpenBSD firewall & router
Micro-distribution based broadband router projects
Cyote Linux
http://www.coyotelinux.com/
Linux Router Project
http://www.linuxrouter.org/
EDGE Firewal, a Lineo Embedix ThinLinux demonstration of embedded computing
products
http://edge.fireplug.net/
For NetBSD Fans, The NetBSD/i386 Firewall Project
http://www.dubbele.com/
General Linux Networking Links
Linux Firewall and Security Site
http://www.linux-firewall-tools.com/linux/
Home Networking with Linux
http://www.linuxgazette.com/issue28/journeay.html
IP Masquerading How-To
http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO.html

Another Linux Router Howto Site